Security Vulnerabilities - CVEs Published In October 2020
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a blind SQL injection in the lancompenent component, allowing logged-in attackers to discover arbitrary information.
CVSS Score
6.5
EPSS Score
0.004
Published
2020-10-02
A remote stored xss vulnerability was discovered in HPE KVM IP Console Switches version(s): G2 4x1Ex32 Prior to 2.8.3.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-10-02
A remote code injection vulnerability was discovered in HPE KVM IP Console Switches version(s): G2 4x1Ex32 Prior to 2.8.3.
CVSS Score
8.8
EPSS Score
0.009
Published
2020-10-02
The Linux kernel through 5.8.13 does not properly enforce the Secure Boot Forbidden Signature Database (aka dbx) protection mechanism. This affects certs/blacklist.c and certs/system_keyring.c.
CVSS Score
6.5
EPSS Score
0.0
Published
2020-10-02
NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in the NVIDIA Control Panel component in which a user is presented with a dialog box for input by a high-privilege process, which may lead to escalation of privileges.
CVSS Score
7.8
EPSS Score
0.001
Published
2020-10-02
Vapor is a web framework for Swift. In Vapor before version 4.29.4, Attackers can access data at arbitrary filesystem paths on the same host as an application. Only applications using FileMiddleware are affected. This is fixed in version 4.29.4.
CVSS Score
8.5
EPSS Score
0.006
Published
2020-10-02
BOSH System Metrics Server releases prior to 0.1.0 exposed the UAA password as a flag to a process running on the BOSH director. It exposed the password to any user or process with access to the same VM (through ps or looking at process details).
CVSS Score
6.5
EPSS Score
0.003
Published
2020-10-02
`cloudflared` versions prior to 2020.8.1 contain a local privilege escalation vulnerability on Windows systems. When run on a Windows system, `cloudflared` searches for configuration files which could be abused by a malicious entity to execute commands as a privileged user. Version 2020.8.1 fixes this issue.
CVSS Score
6.4
EPSS Score
0.0
Published
2020-10-02
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.
CVSS Score
5.4
EPSS Score
0.071
Published
2020-10-02
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.
CVSS Score
4.3
EPSS Score
0.185
Published
2020-10-02